6 files changed, 71 insertions, 13 deletions
diff --git a/lib/ssl/doc/src/ssl.xml b/lib/ssl/doc/src/ssl.xml
index 910dca3889..4bc1a9a644 100644
--- a/lib/ssl/doc/src/ssl.xml
+++ b/lib/ssl/doc/src/ssl.xml
@@ -4,7 +4,7 @@
 <erlref>
   <header>
     <copyright>
-      <year>1999</year><year>2013</year>
+      <year>1999</year><year>2014</year>
       <holder>Ericsson AB. All Rights Reserved.</holder>
     </copyright>
     <legalnotice>
@@ -184,12 +184,6 @@
       <item> The DER encoded trusted certificates. If this option
       is supplied it will override the cacertfile option.</item>
 
-      <tag>{cacertfile, path()}</tag>
-      <item>Path to file containing PEM encoded
-      CA certificates (trusted certificates used for verifying a peer
-      certificate). May be omitted if you do not want to verify
-      the peer.</item>
-
       <tag>{ciphers, ciphers()}</tag>
       <item>The cipher suites that should be supported. The function
       <c>cipher_suites/0</c> can be used to find all ciphers that are
@@ -354,7 +348,13 @@ fun(srp, Username :: string(), UserState :: term()) ->
       <item>Specifies if client should try to reuse sessions
       when possible.
       </item>
-
+      
+      <tag>{cacertfile, path()}</tag>
+      <item>The path to a file containing PEM encoded CA certificates. The CA 
+      certificates are used during server authentication and when building the
+      client certificate chain.
+     </item>
+  
       <tag>{client_preferred_next_protocols, {Precedence :: server | client, ClientPrefs :: [binary()]}}</tag>
       <tag>{client_preferred_next_protocols, {Precedence :: server | client, ClientPrefs :: [binary()], Default :: binary()}}</tag>
 	   <item>
@@ -403,7 +403,17 @@ fun(srp, Username :: string(), UserState :: term()) ->
     meaning in the server than in the client.</p>
 
     <taglist>
-
+      
+      <tag>{cacertfile, path()}</tag>
+      <item>The path to a file containing PEM encoded CA
+      certificates. The CA certificates are used to build the server
+      certificate chain, and for client authentication.  Also the CAs
+      are used in the list of acceptable client CAs passed to the
+      client when a certificate is requested. May be omitted if there
+      is no need to verify the client and if there are not any
+      intermediate CAs for the server certificate.
+      </item>
+  
       <tag>{dh, der_encoded()}</tag>
       <item>The DER encoded Diffie Hellman parameters. If this option
       is supplied it will override the dhfile option.
diff --git a/lib/ssl/src/ssl.erl b/lib/ssl/src/ssl.erl
index c3bdeb1a54..9e098e12c4 100644
--- a/lib/ssl/src/ssl.erl
+++ b/lib/ssl/src/ssl.erl
@@ -557,6 +557,7 @@ do_connect(Address, Port,
 handle_options(Opts0, _Role) ->
     Opts = proplists:expand([{binary, [{mode, binary}]},
 			     {list, [{mode, list}]}], Opts0),
+    assert_proplist(Opts),
     ReuseSessionFun = fun(_, _, _, _) -> true end,
 
     DefaultVerifyNoneFun =
@@ -1042,3 +1043,15 @@ connection_sup(dtls_connection) ->
 binary_filename(FileName) ->
     Enc = file:native_name_encoding(),
     unicode:characters_to_binary(FileName, unicode, Enc).
+
+assert_proplist([]) ->
+    true;
+assert_proplist([{Key,_} | Rest]) when is_atom(Key) ->
+    assert_proplist(Rest);
+%% Handle exceptions 
+assert_proplist([inet | Rest]) ->
+    assert_proplist(Rest);
+assert_proplist([inet6 | Rest]) ->
+    assert_proplist(Rest);
+assert_proplist([Value | _]) ->
+    throw({option_not_a_key_value_tuple, Value}).
diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl
index 245cd3e280..74ca7ca699 100644
--- a/lib/ssl/src/ssl_handshake.erl
+++ b/lib/ssl/src/ssl_handshake.erl
@@ -1654,7 +1654,16 @@ dec_hello_extensions(<<?UINT16(?SIGNATURE_ALGORITHMS_EXT), ?UINT16(Len),
 dec_hello_extensions(<<?UINT16(?ELLIPTIC_CURVES_EXT), ?UINT16(Len),
 		       ExtData:Len/binary, Rest/binary>>, Acc) ->
     <<?UINT16(_), EllipticCurveList/binary>> = ExtData,
-    EllipticCurves = [tls_v1:enum_to_oid(X) || <<X:16>> <= EllipticCurveList],
+    %% Ignore unknown curves
+    Pick = fun(Enum) ->
+		   case tls_v1:enum_to_oid(Enum) of
+		       undefined ->
+			   false;
+		       Oid ->
+			   {true, Oid}
+		   end
+	   end,
+    EllipticCurves = lists:filtermap(Pick, [ECC || <<ECC:16>> <= EllipticCurveList]),
     dec_hello_extensions(Rest, Acc#hello_extensions{elliptic_curves =
 							#elliptic_curves{elliptic_curve_list =
 									     EllipticCurves}});
diff --git a/lib/ssl/src/tls_v1.erl b/lib/ssl/src/tls_v1.erl
index 7c7fdd64c3..7b1f53b969 100644
--- a/lib/ssl/src/tls_v1.erl
+++ b/lib/ssl/src/tls_v1.erl
@@ -1,7 +1,7 @@
 %%
 %% %CopyrightBegin%
 %%
-%% Copyright Ericsson AB 2007-2013. All Rights Reserved.
+%% Copyright Ericsson AB 2007-2014. All Rights Reserved.
 %%
 %% The contents of this file are subject to the Erlang Public License,
 %% Version 1.1, (the "License"); you may not use this file except in
@@ -439,7 +439,9 @@ enum_to_oid(24) -> ?secp384r1;
 enum_to_oid(25) -> ?secp521r1;
 enum_to_oid(26) -> ?brainpoolP256r1;
 enum_to_oid(27) -> ?brainpoolP384r1;
-enum_to_oid(28) -> ?brainpoolP512r1.
+enum_to_oid(28) -> ?brainpoolP512r1;
+enum_to_oid(_) ->
+    undefined.
 
 sufficent_ec_support() ->
     CryptoSupport = crypto:supports(),
diff --git a/lib/ssl/test/ssl_basic_SUITE.erl b/lib/ssl/test/ssl_basic_SUITE.erl
index 523760aba6..64a93440c7 100644
--- a/lib/ssl/test/ssl_basic_SUITE.erl
+++ b/lib/ssl/test/ssl_basic_SUITE.erl
@@ -96,6 +96,7 @@ basic_tests() ->
 options_tests() ->
     [der_input,
      misc_ssl_options,
+     ssl_options_not_proplist,
      socket_options,
      invalid_inet_get_option,
      invalid_inet_get_option_not_list,
@@ -990,7 +991,7 @@ misc_ssl_options(Config) when is_list(Config) ->
     ServerOpts = ?config(server_opts, Config),
     {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
     
-    %% Chek that ssl options not tested elsewhere are filtered away e.i. not passed to inet.
+    %% Check that ssl options not tested elsewhere are filtered away e.i. not passed to inet.
     TestOpts = [{depth, 1}, 
 		{key, undefined}, 
 		{password, []},
@@ -1018,6 +1019,17 @@ misc_ssl_options(Config) when is_list(Config) ->
     ssl_test_lib:close(Client).
 
 %%--------------------------------------------------------------------
+ssl_options_not_proplist() ->
+    [{doc,"Test what happens if an option is not a key value tuple"}].
+
+ssl_options_not_proplist(Config) when is_list(Config) ->
+    BadOption =  {client_preferred_next_protocols, 
+		  client, [<<"spdy/3">>,<<"http/1.1">>], <<"http/1.1">>},
+    {option_not_a_key_value_tuple, BadOption} =
+	ssl:connect("twitter.com", 443, [binary, {active, false}, 
+					 BadOption]).
+
+%%--------------------------------------------------------------------
 versions() ->
     [{doc,"Test API function versions/0"}].
 
diff --git a/lib/ssl/test/ssl_handshake_SUITE.erl b/lib/ssl/test/ssl_handshake_SUITE.erl
index 7e8e8d2611..6d020c472b 100644
--- a/lib/ssl/test/ssl_handshake_SUITE.erl
+++ b/lib/ssl/test/ssl_handshake_SUITE.erl
@@ -34,6 +34,7 @@ suite() -> [{ct_hooks,[ts_install_cth]}].
 
 all() -> [decode_hello_handshake,
 	  decode_single_hello_extension_correctly,
+	  decode_supported_elliptic_curves_hello_extension_correctly,
 	  decode_unknown_hello_extension_correctly,
 	  encode_single_hello_sni_extension_correctly].
 
@@ -67,6 +68,17 @@ decode_single_hello_extension_correctly(_Config) ->
     #renegotiation_info{renegotiated_connection = <<0>>}
 	= Extensions#hello_extensions.renegotiation_info.
 
+decode_supported_elliptic_curves_hello_extension_correctly(_Config) ->
+    % List of supported and unsupported curves (RFC4492:S5.1.1)
+    ClientEllipticCurves = [0, tls_v1:oid_to_enum(?sect233k1), 37, tls_v1:oid_to_enum(?sect193r2), 16#badc],
+    % Construct extension binary - modified version of ssl_handshake:encode_hello_extensions([#elliptic_curves{}], _)
+    EllipticCurveList = << <<X:16>> || X <- ClientEllipticCurves>>,
+    ListLen = byte_size(EllipticCurveList),
+    Len = ListLen + 2,
+    Extension = <<?UINT16(?ELLIPTIC_CURVES_EXT), ?UINT16(Len), ?UINT16(ListLen), EllipticCurveList/binary>>,
+    % after decoding we should see only valid curves
+    #hello_extensions{elliptic_curves = DecodedCurves} = ssl_handshake:decode_hello_extensions(Extension),
+    #elliptic_curves{elliptic_curve_list = [?sect233k1, ?sect193r2]} = DecodedCurves.
 
 decode_unknown_hello_extension_correctly(_Config) ->
     FourByteUnknown = <<16#CA,16#FE, ?UINT16(4), 3, 0, 1, 2>>,